General Best Practices for Image Hardening

We recommend using distroless images whenever possible. If you need a shell or interactive capabilities, use minimal base images like Alpine or Debian Slim.

• Always use minimal base images and prefer distroless if possible.
• Remove unnecessary packages, tools, and shells to reduce the attack surface.
• Run containers as a non-root user.
• Use read-only file systems and restrict Linux capabilities to the minimum required.

We provide a small Container Hardening Workbench Project that you can use to experiment with different hardening techniques and see their effects on vulnerability count.

Another nice resource are the US Department of Defense’s Iron Bank Container Images as well as the Slim-Toolkit project.